capture vlan tagged frames

Capturing VLAN frames can be frustrated.

To make a long story short, the vlan-tag is stripped off  before the capturing so when looking at the capture all you see is the untagged frame.

This has a relatively easy solution. Linux Bridge. Any linux box can be a bridge and a bridge and better yet a bridge link must pass the packets as is.

Enough talking and onto an example:

we have 2 linux boxex connect via a vlan-enable network.

lets set up a vlan-tagged connection:

box1 # vconfig add eth1 2222
Added VLAN with VID == 2222 to IF -:eth1:-

# ifconfig eth1.2222 123.123.123.50 up

box2 # vconfig add eth1 2222

Added VLAN with VID == 2222 to IF -:eth1:-

# ifconfig eth1.2222 123.123.123.60 up

ping is working but capturing doesn't show the vlan frmae.

box2 is our target host for capturing:

box2:

 # vconfig rem eth1.2222

Removed VLAN -:eth1.2222:-

# ifconfig eth1 0.0.0.0 up

# brctl addbr br50

# brctl addif br50 eth1

# ifconfig br50 up

# vconfig add br50 2222

# ifconfig br50.2222 123.123.123.60 up

and we're done

capture on eth1

# tcpdump -ni eth1 -w /tmp/foo.pcap

and here is a sample frame:

17:59:04.850285 00:1a:64:f1:75:97 > 00:50:56:91:78:13, ethertype 802.1Q (0x8100), length 102: vlan 2222, p 0, ethertype IPv4, 123.123.123.50 > 123.123.123.60: ICMP echo request, id 9757, seq 3, length 64

and just for the fun of it here is one with the priority bit set to 4:

17:59:04.850450 00:50:56:91:78:13 > 00:1a:64:f1:75:97, ethertype 802.1Q (0x8100), length 102: vlan 2222, p 4, ethertype IPv4, 123.123.123.60 > 123.123.123.50: ICMP echo reply, id 9757, seq 3, length 64

don't you just love linux?